[+Cc linux-fscrypt] On Sun, Jun 16, 2019 at 09:13:01PM +0200, Ard Biesheuvel wrote: > > > > - ESSIV is useful only for CBC mode. I wish we move to some better mode > > in the future instead of cementing CBC use... But if it helps people > > to actually use unpredictable IV for CBC, it is the right approach. > > (yes, I know XTS has own problems as well... but IMO that should be the default > > for sector/fs-block encryption these days :) > > > > I agree that XTS should be preferred. But for some reason, the > kernel's XTS implementation does not support ciphertext stealing (as > opposed to, e.g., OpenSSL), and so CBC ended up being used for > encrypting the filenames in fscrypt. > Actually, for fscrypt CTS-CBC was also chosen because all filenames in each directory use the same IV, in order to efficiently support all the possible filesystem operations and to support filenames up to NAME_MAX. So there was a desire for there to be some propagation across ciphertext blocks rather than use XTS which would effectively be ECB in this case. Neither solution is great though, since CBC-CTS still has the common prefix problem. Long-term we're planning to switch to an AES-based wide block mode such as AES-HEH or AES-HCTR for filenames encryption. This is already solved for Adiantum users since Adiantum is a wide-block mode, but there should be a pure AES solution too to go along with AES contents encryption. - Eric